Davide Obbi
2018-Oct-09 13:27 UTC
[Gluster-users] glusterfs 4.1.5 - SSL3_GET_RECORD:wrong version number
Hi, i have enabled SSL/TLS on a cluster of 3 nodes, the server to server communication seems working since gluster volume status returns the three bricks while we are unable to mount from the client and the client can be also one of the gluster nodes iteself. Options: /var/lib/glusterd/secure-acceess option transport.socket.ssl-cert-depth 3 ssl.cipher-list: HIGH:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1:TLSv1.2:!3DES:!RC4:!aNULL:!ADH auth.ssl-allow: localhost,glusterserver-1005,glusterserver-1008,glusterserver-1009 server.ssl: on client.ssl: on auth.allow: glusterserver-1005,glusterserver-1008,glusterserver-1009 ssl.certificate-depth: 3 We noticed the following in glusterd logs, the .18 address is the client and one of the cluster nodes glusterserver-1005: [2018-10-09 13:12:10.786384] D [socket.c:354:ssl_setup_connection] 0-tcp.management: peer CN = glusterserver-1005 [2018-10-09 13:12:10.786401] D [socket.c:357:ssl_setup_connection] 0-tcp.management: SSL verification succeeded (client: 10.10.0.18:49149) (server: 10.10.0.18:24007) [2018-10-09 13:12:10.956960] D [socket.c:354:ssl_setup_connection] 0-tcp.management: peer CN = glusterserver-1009 [2018-10-09 13:12:10.956977] D [socket.c:357:ssl_setup_connection] 0-tcp.management: SSL verification succeeded (client: 10.10.0.27:49150) (server: 10.10.0.18:24007) [2018-10-09 13:12:11.322218] D [socket.c:354:ssl_setup_connection] 0-tcp.management: peer CN = glusterserver-1008 [2018-10-09 13:12:11.322248] D [socket.c:357:ssl_setup_connection] 0-tcp.management: SSL verification succeeded (client: 10.10.0.23:49150) (server: 10.10.0.18:24007) [2018-10-09 13:12:11.368753] D [socket.c:354:ssl_setup_connection] 0-tcp.management: peer CN = glusterserver-1005 [2018-10-09 13:12:11.368770] D [socket.c:357:ssl_setup_connection] 0-tcp.management: SSL verification succeeded (client: 10.10.0.18:49149) (server: 10.10.0.18:24007) [2018-10-09 13:12:13.535081] E [socket.c:364:ssl_setup_connection] 0-tcp.management: SSL connect error (client: 10.10.0.18:49149) (server: 10.10.0.18:24007) [2018-10-09 13:12:13.535102] E [socket.c:203:ssl_dump_error_stack] 0-tcp.management: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number [2018-10-09 13:12:13.535129] E [socket.c:2677:socket_poller] 0-tcp.management: server setup failed I believe that something has changed since version 4.1.3 cause using that version we were able to mount on the client and we did not get that SSL error. Also the cipher volume option was not set in that version. At this point i can't understand if node to node is actually using SSL or not and why the client is unable to mount thanks Davide -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.gluster.org/pipermail/gluster-users/attachments/20181009/7df942aa/attachment.html>
Davide Obbi
2018-Oct-09 15:10 UTC
[Gluster-users] glusterfs 4.1.5 - SSL3_GET_RECORD:wrong version number
Hi, after running volume stop/start the error disappeared and the volume can be mounted from the server. Regards On Tue, Oct 9, 2018 at 3:27 PM Davide Obbi <davide.obbi at booking.com> wrote:> > Hi, > > i have enabled SSL/TLS on a cluster of 3 nodes, the server to server > communication seems working since gluster volume status returns the three > bricks while we are unable to mount from the client and the client can be > also one of the gluster nodes iteself. > Options: > /var/lib/glusterd/secure-acceess > option transport.socket.ssl-cert-depth 3 > > ssl.cipher-list: > HIGH:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1:TLSv1.2:!3DES:!RC4:!aNULL:!ADH > auth.ssl-allow: > localhost,glusterserver-1005,glusterserver-1008,glusterserver-1009 > server.ssl: on > client.ssl: on > auth.allow: glusterserver-1005,glusterserver-1008,glusterserver-1009 > ssl.certificate-depth: 3 > > We noticed the following in glusterd logs, the .18 address is the client > and one of the cluster nodes glusterserver-1005: > [2018-10-09 13:12:10.786384] D [socket.c:354:ssl_setup_connection] > 0-tcp.management: peer CN = glusterserver-1005 > > [2018-10-09 13:12:10.786401] D [socket.c:357:ssl_setup_connection] > 0-tcp.management: SSL verification succeeded (client: 10.10.0.18:49149) > (server: 10.10.0.18:24007) > [2018-10-09 13:12:10.956960] D [socket.c:354:ssl_setup_connection] > 0-tcp.management: peer CN = glusterserver-1009 > > [2018-10-09 13:12:10.956977] D [socket.c:357:ssl_setup_connection] > 0-tcp.management: SSL verification succeeded (client: 10.10.0.27:49150) > (server: 10.10.0.18:24007) > [2018-10-09 13:12:11.322218] D [socket.c:354:ssl_setup_connection] > 0-tcp.management: peer CN = glusterserver-1008 > > [2018-10-09 13:12:11.322248] D [socket.c:357:ssl_setup_connection] > 0-tcp.management: SSL verification succeeded (client: 10.10.0.23:49150) > (server: 10.10.0.18:24007) > [2018-10-09 13:12:11.368753] D [socket.c:354:ssl_setup_connection] > 0-tcp.management: peer CN = glusterserver-1005 > > [2018-10-09 13:12:11.368770] D [socket.c:357:ssl_setup_connection] > 0-tcp.management: SSL verification succeeded (client: 10.10.0.18:49149) > (server: 10.10.0.18:24007) > [2018-10-09 13:12:13.535081] E [socket.c:364:ssl_setup_connection] > 0-tcp.management: SSL connect error (client: 10.10.0.18:49149) (server: > 10.10.0.18:24007) > [2018-10-09 13:12:13.535102] E [socket.c:203:ssl_dump_error_stack] > 0-tcp.management: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong > version number > [2018-10-09 13:12:13.535129] E [socket.c:2677:socket_poller] > 0-tcp.management: server setup failed > > I believe that something has changed since version 4.1.3 cause using that > version we were able to mount on the client and we did not get that SSL > error. Also the cipher volume option was not set in that version. At this > point i can't understand if node to node is actually using SSL or not and > why the client is unable to mount > > thanks > Davide >-- Davide Obbi System Administrator Booking.com B.V. Vijzelstraat 66-80 Amsterdam 1017HL Netherlands Direct +31207031558 [image: Booking.com] <https://www.booking.com/> The world's #1 accommodation site 43 languages, 198+ offices worldwide, 120,000+ global destinations, 1,550,000+ room nights booked every day No booking fees, best price always guaranteed Subsidiary of Booking Holdings Inc. (NASDAQ: BKNG) -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.gluster.org/pipermail/gluster-users/attachments/20181009/476b033b/attachment.html>